Linux users beware: The hidden vulnerability in curl’s SOCKS5 proxy handshake

On October 11, curl’s lead developer dropped the news in a blog post, explaining it’s “the worst security problem found in curl in a long time.” The vulnerability has also been documented and published as CVE-2023-38545 as impacting libcurl versions ranging from 7.69.0 to 8.3.0.

Curl (often stylized as “cURL”) is a command-line tool and library for transferring data with URLs. It is designed to work with a wide range of network protocols and provides the ability to perform data transfers. Its associated library, libcurl, allows developers to integrate the capabilities of curl into their own applications. It is a core component in numerous applications on Linux and other platforms.

Which brings us to SOCKS5, a rather common network protocol that allows routing network traffic between a client and server through a proxy server. You might have already encountered it if you’ve ever used NordVPN’s server connections as SOCKS5 proxies in specific configurations. Notably, this versatile protocol also plays a pivotal role in communicating across the Tor network, and it boasts a myriad of other applications across the digital landscape.

Curl’s critical weakness stems from an unexpected source: the length of hostnames. When curl is tasked with passing along a hostname to the SOCKS5 proxy for resolution, it is supposed to handle hostnames of up to 255 bytes in length. However, if a hostname surpasses this limit, curl should switch to local name resolution and forward only the resolved address to the proxy. Alas, due to a bug, during a sluggish SOCKS5 handshake, the local variable meant to signal “let the host resolve the name” sometimes acquires the wrong value. The unintended result? The excessive hostname gets copied into the target buffer instead of just the resolved address, creating a potential entry point for security breaches utilizing the curl library.

Nevertheless, to be executed, the vulnerability requires specific preconditions to be met:

1. The curl request is made via socks5h.
2. The curl state machine’s negotiation buffer is smaller than ~65k.
3. The SOCKS server’s “hello” reply is delayed.
4. The attacker sets a final destination hostname larger than the negotiation buffer.

These specific conditions may appear extensive, but you still should be wary and stay up to date given the widespread adoption of curl across a spectrum of operating systems, applications, and Internet of Things (IoT) devices.

For Linux users, especially those who utilize SOCKS5 service, it’s crucial to recognize that mitigating this vulnerability is a client-side affair. The issue resides within the curl on the client’s end, leaving server administrators powerless to directly counter the threat. Thus, the onus for protecting systems lies squarely with the clients themselves. It’s important to note that this does not affect NordVPN applications, extensions, or VPN protocols in any way. It can only affect users who employ specific SOCKS5 manual configurations in their setups. Nonetheless, we urge users to take the following actions:

• Upgrade curl and libcurl to version 8.4.0.
• Update any software that utilizes a statically linked libcurl library.

The world of cybersecurity is a complex and ever-evolving landscape. The preconditions for the curl security issue may seem convoluted, but they serve as a reminder of the creativity and persistence of malicious actors. Stay informed, stay secure, and ensure that your software is up to date to protect against potential security fires.